A

Welcome to scrolling to death. I'm jumping on last minute today because we just experienced one of the largest cyber attacks in the history of our education system. This could have affected over 275 million people, including young children. On April 29, 2026, a hacker group called Shiny Hunters accessed Canvas on a cloud based learning management system created by a company called Instructure. The attack on April 29 didn't make the news. The system was secured internally. But again on May 6th and 7th, attackers regained access. I started hearing from tons of parents,

B

some of who were panicking.

A

They would log into Canvas and get a ransom note from the hackers which

B

said, quote, you have until the end

A

of day, by May 12, before everything is leaked. This, this is a situation we have

B

to take very seriously because we're talking

A

about the theft of the most valuable thing in our society, data, our children's data. You're probably wondering what was exposed? Was your child impacted? Who was responsible for this? And what the hell do we do now? That is what I'm going to cover today with Andy Liddell, attorney with the EdTech Law center here.

B

Why don't we start with what is Canvas and how widely is it used?

C

Canvas is a learning management system. The company that makes it is called Instructure. And essentially what a learning management system is, it's the interface between kids in school on a computer. And so there's a lot that happens. And so this is where lessons are published, where study materials are published, where tests and quizzes are taken. And then there's this whole backend side of it too, that schools or school districts or universities use for administration. Instructure is one of the largest of these companies. They have made a good product that people tend to like. You know, they had a different background where people who started the company came from higher education. They were actually working in higher education at the time. And so, you know, when they built this thing originally, 15 years ago, it was to solve felt problems. The challenge is as they've gotten different investment and gone public and taken private. Those things have become a little bit misaligned with the original mission. But I think it became pretty popular for not necessarily bad reasons.

B

Okay. And it's used, I read in over 8,000 schools in North America, half of all higher education institutions, and 40% of us K through 12 school districts. In doing their business, they collect a lot of data. Can you talk about the a bit about just the data collection before we get into the breach?

C

Feels like deja vu all over again. But this is the second time this has happened where we've sued a company for data privacy violations, warning that one of the risks was that they would be hacked, and then indeed they were later hacked. This happened with PowerSchool, who we sued in May of 24 and then they announced a hack in December of 24 and then it's now happened with Instructure, who we sued in March of 25 and they announced a hack a year later. And so I promise we're not, we're not shiny hunters. That's crazy. But you know, but it's just, it's inevitable. It's inevitable because of the volume of information they collect. So, so we do have active litigation against, against them. And so I want to be clear that anything I say is, is an allegation. It's based on public records, based on our investigation, none of these been proven in court yet. And so, but by its own admission, instruction takes a lot of information. I mean pages and pages. We do detail this in our complaint. And so it's all the stuff that you'd expect that would be needed to run a school. Demographic information about kids, performance grades, behavior information. But what's in structure, their philosophy is one of what they call interoperability, which is a lot of other companies can plug into its platform and get access to its data, but I would call that promiscuous sharing of information without consent. Right. And so what they market as this really good thing we correctly identified as a tremendous vulnerability in how they're set up. And so, you know, Instructure is what they call their Edco system, that we have all this information and then we share it with all these other ed tech developers and providers and make it interoperable. So it's this seamless sharing of information. And so you know, what's, what's happened with this hacking group? Well, really isn't that much different than what infrastructure does for a business model. You know, except that the hackers obviously are trying to release this in mass in exchange for a ransom, whereas other companies are trying to build products on top of the information. But it's really not all that different.

B

Okay, talk about now what happened in this breach that started in late April and seemed to happen again just a few days ago?

C

Yes. So there's a lot of information that's still coming out, but we're still really early. And so, and a lot of this is the, the hackers own statements about what they've done. And so 8,809 schools, universities and education platforms have been affected According to Shiny Hunters, the gang taking responsibility for this, they've claimed to have stolen 280 million student and staff records. So this seems to affect, Obviously, not just K12, but higher education as well, because that's a lot of records, and that's all over the world, too. It's a lot of people who are being affected. The type of information that Shiny Hunters claims to have collected includes things like user records, private messages, enrollment data, and then information that they gather through Canvas, what they call data export features, and APIs, application programming interfaces. And so it sounds like it could be everything. It's a lot of information. And again, the hackers claim to have taken over three terabytes of information. That's a ton. It's a lot of information.

B

I got messages with an attachment, and it was this ransom note that the hackers were sending out or somehow the parents were getting access to, maybe when they logged in to the. Or tried to log into the Canvas account. Can you talk about this ransom note and is this typical?

C

So not a cybersecurity incident investigator. And so I can't speak to whether it's typical or not, but it does sound typical based on the reporting of. Of this group.

A

Okay.

C

And so, I mean, like any. Any good hijacker, you. You. You want people afraid, right? And. And you want them scared, and you want your ransom. Not. I don't think these people tend to overstate what their capabilities are and what they've done. I think that based on reporting, they are kind of good for what they say they are and the things they claim to have done, they actually have done. And so, yes, what I understand that happened is that they were able to get credentials to the system. And then when people went to log on to Canvas, this ransom note was displayed and had a link to a text file that had all of the affected institutions. I mean, it is a way of sowing panic and upset and outrage, all of the things that would make institutions inclined to pay the ransom.

A

Right, okay.

B

And it says things like, you have till the end of the day, May 12, before everything is leaked. And parents are wondering, what does that mean? What information is gonna get out and how valuable is that to them? Should I be worried about what's out there now about my child? So can you speak to that?

C

These concerns were what animated our lawsuit, you know, over a year ago. This exact thing where, you know, you have control from the jump whether this information is collected about your kids to begin with. You have no control about where in instructor's EDCO system It's going. And then now that it has been hacked and breached and potentially will be leaked, you have no control over whether the ransom is paid and whether your kid's privacy is protected. And so we're recording this on the morning of Monday, May 11. And so according to Shiny Hunters, we have until tomorrow Evening on the 12th for this to be resolved. And so I think we'll know a lot here in the next 48 hours or so to see what exactly happens. But no, you should be very concerned. And this is a really tangible illustration of the kinds of abstract concerns that we've had all along, because it takes a particular kind of nerd to be obsessed with this stuff, and I count myself that kind of person. But these harms are real and they really are tangible. They're just so hidden and diffuse that it takes a really high profile incident like this one to realize, oh my gosh, all this information was out there about my kid. I mean, possibly for their entire life, their entire record at school. It is now potentially something that the whole world will have access to. And I just don't think anybody should be or will be okay with that.

B

Yeah. And I want to talk about what could happen with that data briefly. And we've talked about that in other episodes. But related to this specific attack, how do you feel that Instructure handled the breach? Have you seen a good reaction from them?

C

That's all tbd, right? So we don't really know. You know, certainly they seem to be saying the right things and expressing contrition and everything else. But our point is we should never be here in the first place. This is not a place that anyone chose to be or asked to be or a risk that anyone willingly accepted. This is, we are a company with a business model and we are going to impose this on you and do this to you and you can't get out of it. And, you know, there is a world where Instructure is what I think a lot of people assume that it is, which is this Fort Knox of data. Right. If you can imagine where everything was end to end encrypted and only people who needed to have access to information had access to it. And there were always logs of access showing that, you know, your third grade English teacher was only accessing the third grade grades and not the health records and the attendance records and things that he or she had no business accessing. There are ways to build these systems. There's ways to do it that they're diffuse and not just on one server where you Compromise one login credential and then you have access to the entire system. The problem is if you do it that way, if you design for privacy and security, you're not designing for interoperability. And so you're not basically designing the system where everyone else can latch onto it and integrate into it. And this data is flowing everywhere. I think that's good. I think we shouldn't have systems like this. I think these things are, you know, we're seeing it how vulnerable our kids information is, this idea, this ideology. And it is an ideology of sharing and openness and big data, you know, that benefits certain people, but it doesn't benefit kids.

B

Absolutely. And someone wrote on LinkedIn, Schools have become one of the softest targets in cybersecurity. Why aren't schools or the companies that are contracted with schools doing a better job keeping that data safe? Like why are they failing so badly when it comes to securing the data?

C

Well, it's a matter of resources, right? And you think about what is, our schools are already underfunded, you know, or maybe the funding is inappropriately allocated. Right. And so the people who go into education, they're not cybersecurity experts. They're not people who know how to do this. This is very sophisticated stuff. And I myself, I'm not a cybersecurity expert either. I could describe the system that I think should exist. I couldn't build it. These things are hard to do and they're expensive. You know, I think a lot of it is just a gap in understanding and ability. But then also you have this whole apparatus of marketing into schools and seeing them as a captive audience and basically treating schools as though they're enterprises, you know, big commercial enterprises. But if you're a big company who's going to be spending on whatever your digital solution is, you have a team that can evaluate it and you have, you know, some comparable technical expertise. You've got bargaining power. And what we've heard, and again, this is what we've heard, I'm not saying it's true, but that there is no bargaining power here. With companies like Instructure or perhaps even Instructure itself, where you're presented with a contract and it's given to the tech guy, whoever that is, and that's usually a guy and it's usually one guy. There's not a big procurement department and that person is trying to solve technical problems. And they have, you know, they have a specific worldview and experience where they're viewing this product and they're probably not data security experts or data privacy experts. They're not lawyers, they're not thinking about the invasions of privacy. And a lot of times they diminish those concerns, saying that, well, you know, privacy's dead. Haven't you heard? You know, Facebook came out in 2006. But, but the reality is privacy is not dead. It is still very much alive and a part of our, of our, you know, legal system and our expectations as citizens in this country. And so we have basically people who are ill equipped to make decisions and evaluate these things and really think about what the outcomes are, what the implications are. You know, and so we're just, we're in, we're in a tough spot. And I think it's not always a matter of ill intent on behalf of governance. But I do think that, you know, if you are in administration at a school district, if you are a school board member, this is your job now. You have to, you have to take this seriously. This is a part of your job. In the same way that understanding, you know, how debt financing works and bond initiatives are passed, understanding, you know, open meetings, acts, this is part of your job. And you have to get up to speed and understand when you're evaluating these things that you're placing kids entire future in harm's way. If you do it wrong and, you know, the buck, the buck stops with you.

B

Their entire future in harm's way because that data about them is so valuable and can be used against them. Right? Can you talk a little bit about that and then we'll get into advice for parents. But what can be done with this data that was exposed?

C

So, I mean, the, the main concern that everyone brings up always is identity theft. You know, that, that essentially what, what you want and need to steal someone's identity is, you know, a lot of biographical information about them. And so if you think about, you know, your bank and your bank security questions, well, to open a bank account you need a. But then you also need things like your mother's maiden name and the street they lived on when you're in the third grade, your favorite teacher. And so you think about these learning management systems. Well, they have all that information, right? They have all that there for their own school purposes, but then that gets out all in one place. And even though these are true facts, they're still really sensitive when they're all compiled together. And so it makes it very easy to open up credit cards, take out credit in somebody else's name well before they ever would know. Because most, when this happens to People, they tend to discover it when they're 16, 17, 18, opening their first kiddie credit card or going to college, applying for a student loan. And then you find out that, oh, my gosh, my information has been taken. But then we've seen other things happen where this is out there. Anyone can do anything they want with it. And so they're kind of these more surprising edge cases, use cases where, you know, stalkers could use this information. You could use it to harass people. You could use it to, you know, shame people. Think about, you know, all of the family situations that schools need to know about that the public doesn't, you know, and so showing who's abused or whose parent has, you know, drug problems or alcohol problems or whatever, those. Those things can be really harmful. And then even, you know, this. This happened. And it's strange to me that it didn't get more coverage from this light, but in the New York mayor's race, where Zoram Mandani, famously of Indian descent, but was from Africa and lived and grew up in Africa, and so his Columbia application was leaked from 15 years ago, and he was getting kind of mocked and pilloried for calling himself African American. Well, obviously in this country, that has a very specific connotation. But if you're not from this country and if your parents were born in Africa and you were born in Africa and now you're in America, you might, you know, say that you're African American even if you're of Indian descent. And so things like this where we don't even really know the full implications of how this can be used, other than it will be used against you. That's the point. That's the point now. That's the point forever is that this information is just. It's a vulnerability about you to be used by other people who have power over you.

B

And it's so infuriating because it's happening without parental consent and it's happening to our children without us being informed of what's being done and then allowed to opt in or out. And so let's end with just some advice for parents on what to do now. I think parents want to know if their school and their child was affected, and I assume that's just a question to their school. Would you agree with.

C

So I would wait, because we don't know yet. We don't know yet. So don't bombard your school. What is typically going to happen is, I think likely instructors still trying to figure this out. They've brought on cybersecurity consultants. I would imagine they're preparing their response. They're investigating. This time will tell whether they pay the ransom or not. We don't even know if the ransom is paid, if the stuff winds up being destroyed like they say it will. But there are reporting requirements and so Instructure is obligated to let his customers know if they are affected and then they will let families know. And so keep an eye out for an email from your school district. Anything before then they don't have an answer to, and you're just kind of clogging their inbox. And so I would, out of grace and sympathy for, for your school district, let, let them reach out to you. And then when they do, there will be, you know, hundreds of data breach lawsuits that will be filed. It's very kind of a typical path. This happened with PowerSchool and then those we rolled up into an MDL and then, you know, that will be, that will be litigated. If you receive one of these and have questions, you can always contact our, our law firm. We're at Tech Law. We have a contact us button at the top. And maybe by the time this post we'll have a landing page about this breach.

B

But you got a few hours.

C

Yeah, well, not in a few hours, but, but something to look out for. But you can just contact us through our normal contact portal. You know, you'll, you'll know, you'll know your, your school district is obligated to let you know if they've been affected. And then, you know, we'll, we'll just see how, how bad it actually is. But early reports seem to suggest that it is, it is very bad.

A

Okay.

B

And within a day or two after the breach was announced, there was media saying, you know, Canvas is back online. So can we assume that our children's data still being accessed through Canvas is also insecure as it was a week ago?

C

Yeah, I think so. I mean, I, you know, I don't know. I've not seen any assurances or any, anything concrete. And obviously like there's steps that they can't disclose their own security practices. Right. And so there's things that just can't be publicly talked about, about, oh, here's how we fix the problem. Because if you tell them how you fix the problem, then, you know, it's a way for someone else to undo that. And so, but I think just proceed skeptically, proceed with caution. This is a really great opportunity, I guess, for school districts to be reevaluating how they do Learning management and how they do data collection. There are open source alternatives, there are ways to self host this. You know, as we've long said, minimization is the best strategy and compartmentalization. And so really be thinking how much information do we really need to collect our kids? Does this all need to be live and centralized or can we go back to more of a dispersed model where, you know, most of the stuff lives in teacher's gradebook and then things just, you know, as they need to be reported, are reported. But we're not doing real time persistent collection of information on kids because again, if we're here to say what's best for children, I think that's the first question that should be asked. And not what's most convenient for us as a school or what appears most convenient for us as a school district or what provides the most opportunity for the ed tech sector.

A

Right.

B

And we've been talking about kids here, which is important, but we also should be clear that thousands, if not millions of college students, millions of teachers were also affected. So their data is also exposed in that. That's just as valuable and important to be paying attention to. Right?

C

A thousand percent. Yeah. I mean we've got college students, professors, you know, and this is their entire, I mean if you think about professors, this is their entire intellectual output. You know, I mean if you really think, if you want to talk about harms beyond kids, all of the effort that goes into teaching a class, teaching a college class and all of that effort that professors put into that and all of the material that they create, that's all their own, you know, copyrighted material, that stuff that should belong to them, that's, you know, certainly under the moral rights theory, that's theirs. That's theirs. That belongs to them. And then having this just out there for others to take and steal and take advantage of or you know, search through for wrong think or, you know, whatever, again, it's all just ways for other people to use it against you. I don't know if you come back to that, but that really is, I think the, the point of this is that none of this is for the benefit of the users who interact interface with the program.

B

Yeah, and you've referenced this throughout, but it's not, this isn't just a problem with Canvas, you know, it isn't just a problem with iReady when it comes to data privacy, which we've filed a lawsuit together against Curriculum Associates. This is a larger issue and schools need to be thinking about data privacy. What needs to be shared and what doesn't, and giving parents informed consent. Do you have any other recommendations to parents or teachers end with around the larger issue and what's at stake here, our kids.

C

Privacy is fundamentally at stake here. And I think understanding what that means, what privacy means, and it's not just things that you hide or things that you're embarrassed about. I may have mentioned this before, but there's this great book that I read, Lowry, the Right to Oblivion. And it's just this meditation on all the different types of privacy. And the thing that I found most profound in that book was that essentially privacy is the soil in which we grow, that kids need that. So you wouldn't say a seed is hiding, it's growing, it's developing. And that ability to experience childhood free from scrutiny and free from permanent memory and permanent judgment, permanent manipulation is something that people our age, we didn't have to contend with, we didn't live in that life. But now we've raised a generation and a half of kids who won't, who won't have that. And I think it's going to. The harms from that will be profound and already are. And so I think that privacy, it's not something we should view as a luxury any more than soil is viewed as a luxury for flowers or crops. Like, this is the place where the growth happens and we need these protected environments to kind of close. On a bit of a philosophical note, it is really, really important. And beyond just the legally actionable theories that we're pursuing, I think it's a profound question of our time.

B

Beautiful. I love how you illustrated that for us. And so parents, teachers, admins, whoever wants to learn more about this issue in general can go to EdTech Law, reach out.

C

You know, we are a consumer protection law firm in Austin, Texas. We practice nationwide. If you have concerns about certain platforms that your kids use, if your kids have been harmed in any, you know, more immediate ways by their school computers, we're here to help. We are scaling up our intake operations and so we're hoping to be able to respond much more quickly than we have in the past to the extreme demand that we're getting. And so no, we're here to help. You don't have to pay out of pocket for our services. We're contingency fee based because we want to help. We want to help everyone who needs it. And right now, millions and millions of people need our help.

B

We do. I do. We all do. We need your help. We need to fix these wrongs and we're so grateful to you, Andy, and your wife, Julie, and all your family is doing to support parents like me. So thank you, Andy. We'll be back soon with some more updates.

C

Thanks, Nikki. Always great to see you.